Security Vulnerability Found in Popular WPtouch WordPress Plugin

A recently discovered vulnerability in WPtouch, a popular plugin that's used to create simple themes for the mobile visitors of WordPress websites, can be leveraged by an attacker to upload PHP files to impacted servers, Sucuri reported on Monday.

According to the security firm, an attacker can take control of WordPress websites by uploading PHP backdoors and other pieces of malware to the site's directories.

The flaw, which is located in the "core/class­wptouch­pro.php" file, can only be exploited on websites that allow guest users to register, Sucuri researchers said. In this classwptouchpro.php file, the admin_initialize() method is called by the "admin_init" hook, the use of which recently led to a file upload vulnerability in a different popular WordPress plugin.

Re: Security Vulnerability Found in Popular WPtouch WordPress Plugin

(Vulnerability in Premium WordPress Plugin Exploited in the Wild)

A popular WordPress plugin that enables users to easily create responsive sliders is plagued by a security hole that has been actively exploited by cybercriminals, Sucuri reported on Wednesday.

Slider Revolution is a premium WordPress plugin created by ThemePunch that has been sold over 34,000 times on the snippets and scripts marketplace CodeCanyon. The plugin is also wrapped into several theme packages for WordPress.

A vulnerability was found in version 4.1.4 and older of the plugin, but the flaw was patched by the developer back in February with the release of Slider Revolution 4.2. The company listed a "security fix" in the changelog at the time, but it didn't provide any details because security firms allegedly advised it not to.

An exploit has been published on hacker forums and is being actively used to compromise websites. On Wednesday alone, Sucuri identified 64 IP addresses attempting to trigger the vulnerability on over 1,000 websites. Data from the security firm shows that the attacks started on August 9 and peaked on August 19 with over 2,500 hits.

According to Sucuri, the zero-day was disclosed via underground forums, so the developer should have actively alerted its customers of the threat, instead of taking the silent patch approach.